Huh? As far as I know every Intel ME has access to the internet, can receive push firmware updates and write access to everything else on the system. It does not need a modified version, they can just use the official way, the normal Intel ME on target devices, if they can cloack their access of the official server, which I think could be achieved of using just the key of the official server and then use another server posing as the official server.
But it has been a while that I read about it and I never took it apart myself, so maybe what I wrote is not possible for technical reasons.
I don't think that's the case. Don't you need to have a selected NIC, integrated properly to get the Intel ME network features? Typically branded as "Intel vPro"
Otherwise, you need something in your OS to ship data back and forth between the ME and whatever NIC you have.
vPro, also known as AMT, is proprietary and it's for professional desktop and laptop systems. ME instead is based on IPMI and is for server-class systems.
Are they reusing the name to be more confusing? Intel ME calls to mind the management engine that's been embedded in most Intel based computers for the last 15 or so years.
The trouble is, as far as I know, that the ME cannot be deactivated. Even if you are a really sensitive network.
Your option is to find some of the few Intel chips without it, or find another chip vendor.
This often means you can't use common off the shelf systems, so now you can be a victim of a targetted supply chain attack.
But it has been a while that I read about it and I never took it apart myself, so maybe what I wrote is not possible for technical reasons.